Commitment Schemes

Many cryptographic protocols rely on commitment schemes, which are essential components. A commitment scheme enables a committer to generate and disclose a value, denoted as:


, also known as a commitment, that ties them to a message mm (binding) without disclosing the message to others (hiding or zero-knowledge). Subsequently, the committer can disclose the commitment by presenting a message to the public, which she asserts corresponds (completely or partially) to the concealed message mm linked with the commitment dd. A public verifier can then verify that the message mmβˆ— aligns with the commitment dd, derived from the hidden message mm, which was previously unknown to the verifier.

Commitment schemes can be categorized according to their mathematical structure or type of message mm which may comprise multiple components and structures, including sets, vectors, functions, and more. For example, here below are some of the types of commitment schemes:

  • For a single message mm, only a hash function can serve as the commitment primitive (e.g., SHA256, Keccak, Poseidon).

Last updated